Privacy and legal

Privacy Policy

This Privacy Policy tells you about what data we collect, why we collect it and what we do with it. It also tells you about the rights that you have over your personal data.

How we look after your data for Psychological Services, Occupational Health Services, Musculoskeletal Services, Proactive Health and ActivePlus

The above services are currently provided by 3 AXA Health companies – AXA ICAS Limited, AXA ICAS Occupational Health Services Limited and AXA Health Services Limited. Over the coming months AXA Health Services Limited will become the Data Controller of information which was previously the responsibility of AXA ICAS Limited and AXA ICAS Occupational Health Services Limited. This is why you'll see some overlap in the services below.

AXA Health Services Limited also provides other services, such as administration services for clients' healthcare trust schemes. Those services are not described here as they are not covered by this policy. You can find the Privacy Policy covering those other services here.

AXA ICAS Limited

  • Psychological Services (including Employee Assistance Programme)
  • Proactive Health
  • ActivePlus

AXA ICAS Occupational Health Services Limited

  • Occupational Health Services
  • Musculoskeletal Services

AXA Health Services Limited

  • Psychological Services (including Employee Assistance Programme)
  • Proactive Health
  • Occupational Health Services
  • Musculoskeletal Services

You may have been directed to this policy either from a consent form, documentation you have received, an online service you have accessed, or by an AXA employee with whom you have spoken. This policy relates only to the companies and their services listed above and sets out details about how they process your personal information. The companies are each Data Controllers of your personal information (to the extent they each process your personal information) and they are each responsible for complying with data protection law. For the purposes of this Privacy Policy, references to "we" & or "us" refer to these companies when they are providing you with the services listed above.  From time to time we may need to make changes to this Privacy Policy, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. You should check this page periodically to view the most up to date version.  

1. Our Privacy Principles

When we collect and use your personal information, we ensure we look after it properly and use it in accordance with our privacy principles set out below, keep it safe and will never sell it.

  1. Personal information you provide is processed fairly, lawfully and in a transparent manner
  2. Personal information you provide is collected for a specific purpose and is not processed in a way which is incompatible with the purpose for which we collected it
  3. Your personal information is adequate, relevant and limited to what is necessary in relation to the purposes we collected it
  4. Your personal information is kept accurate and, where necessary kept up to date
  5. Your personal information is kept no longer than is necessary for the purposes for which the personal information is processed 
  6. We will take appropriate steps to keep your personal information secure
  7. Your personal information is processed in accordance with your rights
  8. We will only transfer your personal information to another country or an international organisation outside the United Kingdom or outside the European Economic Area when we have taken the required steps to ensure that your personal information is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to adequate standards
  9. AXA UK and AXA Group companies do not sell your personal information and we alsoprohibitthe selling of customer data by any company which provides a service to us
  10. We endeavour to be transparent and clear about the way we use your personal information.

2. How do we collect your personal information?

Whilst there are a number of ways we collect your personal information, the two main ways are from information you tell us, and from information gathered from third parties. This may include information you share with us during conversations we have on the phone or face to face. We might also collect information about you from other people and organisations, such as your employer, other AXA Health companies, medical professionals (for example your GP), a treating specialist or physiotherapist in the form of a medical report. Our telephone system records your telephone number when you call us if you haven't withheld it.

3. What personal information do we collect and how do we use it?

We may collect personal information, such as your contact details and medical information. Please note, in certain circumstances we may need to process a large volume of medical information in order to provide the service to you or a third party, for example your employer. The information may be sensitive and confidential in nature.

We use your personal information in accordance with data protection regulations, (including the UK GDPR and the Data Protection Act 2018) and clinical requirements. Below, you will find more about the purposes for which we process your personal information, and the data protection legal grounds we have to do so.

Psychological and Musculoskeletal Services

We will process your personal information to provide psychological and musculoskeletal services. If you use these services under your Private Medical Insurance plan or your employer's group scheme, you may see them referred to as 'Stronger Minds' and 'Working Body'. The main legal ground is that the processing is necessary for the performance of a contract with you or to which you are a party. For health and other special categories of information that we obtain we need to meet an additional condition for processing, which is the processing is necessary for the purpose of medical diagnosis, and the provision of healthcare or treatment.

Note: as with all provision of health-related services, there may be circumstances when we process your personal data under other legal grounds, for example:

  • To protect your vital interests or those of someone else
  • Within the context of a dispute or legal claim
  • To comply with a legal obligation
  • If it is in the public interest, for instance to assist certain bodies to investigate deficiencies in the standards of care provided
  • You have provided your explicit consent to specific processing activities

Occupational Health

Your employer may instruct us to carry out services* on health and safety grounds. Our legal grounds for doing this are that the processing is in the legitimate interest of your employer and in some cases, depending on your occupation, your work colleagues and members of the public. The additional condition for processing health information is that the processing is necessary for the purposes of preventative or occupational medicine or the assessment of your working capacity. As the legal grounds for processing your personal data is based on other parties' 'legitimate interests,' you have the right to object to the processing and you can ask us to restrict our processing while we consider your objection. Please see sections 6 and 7 for more information about your data protection rights and how to exercise them. 

(*) Occupational health management referrals, new starter health assessments, night worker health assessment, ergonomics, health surveillance assessments, fitness for work assessments, pilot medicals, cabin crew assessments, workplace adjustment assessments, workplace assessments, Air Traffic Controller Officer medicals, pregnancy – new and expectant mums, pensions. 

Anonymising your occupational health related personal information

We analyse anonymous information to gain insights about how we can improve our products and services and the health and wellbeing of the people who use them. Further, it allows us to show clients how their workforces interact with different AXA Health services and provide them with workforce heath trends – to do this we may bring together information from your use of various AXA Health services such as your employer's healthcare scheme, and analyse it without using information from which you can be identified. If you'd prefer that we don't use your anonymised information for these purposes, please let us know.    

The way that we anonymise personal information is in line with regulatory guidance and is achieved using different techniques, for example removing identifying data or overwriting it with randomised non-identifiable data. In line with regulatory guidance our use of your personal information to create anonymised data relies on the same legal grounds and conditions that were relied on when we obtained your data: the processing is in the legitimate interests of your employer/colleagues/members of the public, and is necessary for the purposes of preventative occupational medicine.

Note: as with all provision of health-related services, there may be circumstances when we process your personal information under other legal grounds, for example:

  • To protect your vital interests or those of someone else
  • Within the context of a dispute or legal claim
  • To comply with a legal obligation
  • If it is in the public interest, for instance to assist certain bodies to investigate deficiencies in the standards of care provided
  • You have provided your explicit consent to specific processing activities

Clinical consent processes for psychological, musculoskeletal and occupational health services

In respect of these services, we also have to satisfy clinical confidentiality rules. This is in addition to meeting the 'legal grounds' and conditions for processing under Data Protection law. We do this by asking you for a clinical consent to process your clinical information, undertake health-related assessments and to share information from clinical records with third parties, for example your employer for occupational health purposes, or a healthcare professional involved in your care for our other services. Our clinical consent processes are based on the General Medical Council (GMC) Confidentiality Guidance and the Faculty of Occupational Medicine's Ethical Guidance, as well as laws such as the Access to Medical Reports Act 1988 (where applicable). Clinical consent is not the same as consent to process personal information under data protection law; we do not generally use consent as our legal ground or condition for processing personal information under data protection law. If we ever need your consent under data protection law to process your personal data, we'll make that clear to you at the time.

ActivePlus

We may process your information to provide you with gym membership or to offer and supply you with the products that you purchase or products that your employer makes available to you through ActivePlus. The legal ground for processing is that the processing is necessary for performance of a contract.

ActivePlus also asks for your marketing preferences so that AXA ICAS Ltd and other companies within the AXA UK group can send you marketing material. You can change your preferences at any time. Separate to that, we may use your personal information for other marketing purposes, even if we do not actually send marketing material to you. The legal ground for doing this is that it is in these companies' legitimate interests. You have the right not to have your personal information used for marketing purposes.

Using your personal information to understand our services

We use your personal information to help us understand our business and monitor our performance. 

We may provide reports to your employer, or a parent company, for example about service utilisation and workforce health trends. These are based on aggregated data to a level which means you cannot be identified. 

We may use your personal information collected from customer satisfaction surveys and where possible, we will anonymise such information. However, sometimes we may need to use your personal information. Where necessary, we will obtain your consent as our legal ground to process your personal information under data protection rules.

4. Who do we share your personal information with?

Disclosures within the AXA Group

We may share information with other AXA companies, for example with the medical insurance company to help you obtain medical treatment covered by your healthcare policy or scheme. Where you have expressed marketing preferences this information will also be shared. Your personal information may also be transferred to other companies when we make changes to our Group company structure. 

Disclosures to third parties

With the appropriate data protection legal ground, where necessary additional data protection condition for processing, and clinical consent, we may disclose your information to the categories of third parties listed below for the purposes described in this Privacy Policy. This might include:

  • Your relatives, guardians (on your behalf if you are incapacitated) or other people or organisations connected to you
  • Your current, past or prospective employers
  • Your medical, social and welfare advisers or practitioners 
  • Our third party clinical providers
  • Our third party services providers such as IT suppliers, auditors, lawyers
  • Professional regulatory bodies for example the General Medical Council (GMC) and the Nursing and Midwifery Council (NMC)
  • The police, health and social care practitioners for the purposes of safeguarding (Health and Social Care Act 2012, Article 13, 2 (d))
  • Information Commissioners Office (ICO) UK, Office of the Information Commissioner (OIC) Jersey

Disclosure of your personal information to a third party outside the AXA Group will only be made when the third party has agreed to keep your information strictly confidential and to use it only for the specific purpose for which we provide it to them.

Processing outside the UK and the European Economic Area

Some recipients (within the AXA Group or external to it) may be in countries outside the UK and the EEA notably in Switzerland, where AXA has a Data Centre. Recipients may also include countries where data protection standards are not as strong as they are in the UK and EEA for example in India, where some administration or computer maintenance activities may be undertaken. Where we make a transfer of your personal information outside the UK and the EEA we will take steps to ensure that it is protected. Such steps will include placing the party we are transferring personal information to under contractual obligations to protect it to adequate standards.

5. How long do we keep records for?

We keep your personal information for as long as reasonably necessary to fulfil the purposes set out in this Privacy Policy and in order to comply with our legal and regulatory obligations. 

In most cases, we keep your information for between three and six years after our last interaction with you, but this varies depending on what data we hold, why we hold it and what we're obliged to do by the regulator or the law. It can be up to seven years, unless there is a legal or medical regulatory requirement to retain it for a longer period.

6. Your Rights

You can ask us to do various things with your personal information. For example, at any time you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We'll either do what you've asked or explain why we can't - usually this will be for a legal or regulatory reason.

You can make any of the requests set out below by using the contact details you have been provided with for our services or alternatively as set out in section 7.  

The right to access your personal information 

You are entitled to a copy of the personal information we hold about you and certain details of how we use it.  There will not usually be a charge for dealing with these requests. Where you have made the request by electronic means the information will be provided to you by electronic means where possible.

The right to rectification

We take steps to ensure that the personal information we hold about you is accurate and complete. However, if you believe information about you is incomplete or inaccurate, please contact us and you can ask us to update or amend it. Please note that this does not give you a right to require that a clinician change their professional opinion should you disagree with it.

The right to erasure

In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or if we rely on your consent as the legal grounds to process it under data protection law and you withdraw that consent. However, please note that there may be legal and regulatory obligations which mean that we cannot comply with all erasure requests.  

Right to restriction of processing

In certain circumstances, you are entitled to ask us to temporarily restrict our use of your personal information, for example where you think that the personal information we hold about you may be inaccurate, or where you have objected to our use of your information, and we are considering how to respond. You may also ask us to keep information on a restricted basis where we would otherwise delete it.

Right to data portability

In certain circumstances, you have the right to ask that we provide you in machine readable format, or where feasible transfer to a third party, personal information that you have provided to us yourself. Once transferred, the other party will be responsible for looking after your personal information.

Right to object

In certain circumstances, you have the right to object to processing of your personal information. You have an absolute right to object to use of your personal information for marketing purposes.

The right to withdraw consent

When we have relied on your consent as the legal basis and condition to process your information under data protection law you have the right to withdraw that consent.

As stated in the earlier section “Clinical consent processes for psychological, musculoskeletal and occupational health services,” clinical consent is not the same as consent under Data Protection law. Where we obtain a clinical consent this may be subject to different rules, for example those set out by the General Medical Council, and this right may not apply.

Complaints

You have a right to complain to the data protection regulators at any time about the way we use your personal information, but before you do they will expect you to have raised your complaint with us first and for us to try to resolve it with you. You can find more information at the following;

7. Contact Details of the Data Protection Officer

If you wish to contact the Data Protection Officer, the details are:

The Data Protection Officer
AXA Health
AXIS House
23 St Leonards Road
Eastbourne
BN21 3PX                 
email address: dataprotectionofficer@axahealth.co.uk  

8. Company Details for AXA 

AXA ICAS Limited 

AXA ICAS Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 02548573 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.

AXA ICAS Occupational Health Services Limited

AXA ICAS Occupational Health Services Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 01336017 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG

AXA Health Services Limited

AXA Health Services Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 05961472 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.

AXA UK Group

Information about some of the other companies in the wider AXA UK Group is available here. 

9. Health Services data privacy declaration

Your personal information can help us give you a better, more personalised service. But looking after that data is a big responsibility. We take our responsibilities seriously, so we've introduced internationally recognised data privacy rules to protect you. We keep your data safe, confidential and will never sell it. And, if you ask us to, we'll tell you exactly what information we have so you can be sure it's up-to-date and accurate. 

Our commitment to safeguard personal information

We know that respecting the confidentiality of personal information is critical to preserving your trust and therefore have developed security procedures and we use a range of organisational and technical security measures designed to protect your personal information from unauthorised use or disclosure.

We process your personal information in accordance with all applicable laws. This includes always having legal grounds under Data Protection law to process your personal information. Additionally, we collect your clinical consent to process your clinical information, to undertake health-related assessments and to share that clinical information with third parties, for example your employer for occupational health purposes or a healthcare professional involved in your care for our other services. Please be aware that clinical consent is not the same as consent under data protection law, so where we obtain a clinical consent this is subject to different rules, for example those set out by the General Medical Council.